BRUSSELS—A new European privacy law took effect Friday, causing several major U.S. news websites to suspend access across the region as privacy activists filed complaints and data-protection regulators prepared to brandish their new enforcement powers.

Tronc Inc.,
publisher of the Los Angeles Times, New York Daily News and other U.S. newspapers, was among those that blocked readers in the European Union from accessing sites, as they scrambled to comply with the sweeping regulation.

“We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market,” Tronc said in notices it displayed when users attempted to access its news sites from the EU on Friday morning. A spokeswoman didn’t elaborate when asked for details.

Some U.S. regional newspapers owned by
Lee Enterprises Inc.
LEE -1.55%
were also blocking access in the EU on Friday. Bookmarking app Instapaper, owned by Pinterest. Inc., said it was “temporarily unavailable” while the services makes changes “in light of” GDPR.

A spokesman for Lee Enterprises said that European traffic to its sites “is de minimis, and we believe blocking that traffic is in the best interest of our local media clients.”

The EU’s General Data Protection Regulation authorizes steep fines for companies that don’t comply with the new rules, aimed at giving Europe-based users more control over the data about them that companies hold. As of Friday, firms that violate the EU’s privacy rules risk fines as high as 4% of their global revenue.

A screenshot shows a message to users trying to access the Los Angeles Times from Europe on Friday.
Photo:
George Downs for The Wall Street Journal

Businesses have raced to comply with the new law, but surveys indicate that a majority may not be ready. Some appear to be deciding it is safer to suspend access in Europe, at least temporarily, rather than risk sanctions, which the EU’s top privacy regulator this week warned could come soon.

“I’m sure you won’t have to wait for a couple of months,” said Andrea Jelinek, who heads the new European Data Protection Board, which includes national data-protection regulators from each of the EU’s member countries.

Speaking about companies’ decision to block their websites from operating in the EU, Ms. Jelinek said Friday that she expects the impact to be limited. “I’m convinced that the loss of information won’t be that big because I’m sure that the Los Angeles Times will reopen their website—I’m sure,” she said.

Related

News sites weren’t alone in feeling heat from GDPR on Friday. Privacy activists were quick to take aim
Facebook Inc.
and
Alphabet Inc.’s
Google, using the new law’s provisions allowing consumer groups to file collective complaints. On Friday, a litigation initiative started by activist Max Schrems alleged that the companies demand “forced consent” from users by applying new take-it-or-leave-it privacy policies.

Those complaints will be reviewed by Helen Dixon, Ireland’s data protection commissioner, who is the lead regulator for Google and Facebook because they make their EU headquarters in Ireland. Ms. Dixon’s office is already reviewing along with other regulators what data companies can legitimately demand as necessary to fulfill a contract with consumers.

“This is an issue we will be looking at immediately,” Ms. Dixon said on Friday. “We are going to have a lot on our plate.”

Erin Egan, Facebook’s chief privacy officer, said the company has worked to comply with GDPR, updating policies and privacy settings, and will continue to do so. “Our work to improve people’s privacy doesn’t stop on May 25th.”

A Google spokesman said the company has updated its products to give users more control, adding: “We build privacy and security into our products from the very earliest stages and are committed to complying” with the GDPR.

GDPR arrives as Facebook is still struggling to contain the fallout from revelations that data-analytics firm Cambridge Analytica improperly obtained the personal information of as many as 87 million users of the social network.

Facebook CEO Mark Zuckerberg visited European Parliament this past week to answer questions about the scandal, which EU officials say only reconfirmed the need for the new privacy rules and helped promote the legislation to the broader public.

Those updated privacy policies flooding your inbox due to Europe's GDPR compliance deadline on May 25 are so long that if you print out the ones from 30-some most-used apps, you could span a football field. Really. WSJ's Joanna Stern provides tips on how to tackle the gibberish.

On Thursday, Mr. Zuckerberg told a tech conference in Paris that his company has worked hard to comply with GDPR, including by giving users the option of seeing targeted ads on Facebook based on their use of other websites and apps.

“The vast majority of people choose to opt in,” he said, “because the reality is, if you’re going to see ads on a service, you want them to be relevant and good ads.”

On Friday, Ms. Jelinek, head of the EU privacy board, said that regulators won’t be “sanctioning machines” and that they will use other tools like warnings to ensure compliance.

Companies say, however, that the potential for aggressive penalties is likely to affect some business decisions. Large enterprises acquiring small startups that use personal data might decide against launching a service in Europe, out of concern that the startup could expose the parent to a fine based on the entire enterprise’s revenue.

“If I could choose between [launching a data-related business] in Paris and in New York…I’m going to at least advise the business people to do it in New York,” said David Hoffman, global privacy officer at Intel Corp.